This document discusses current and upcoming cybersecurity policies and directives in Europe. It summarizes that the EU considers cybercrime a major threat and has made it a priority between 2014-2017. Key policies and directives discussed include the EU's Critical Infrastructure Protection policy from 2009, directives on combating child abuse and attacks against information systems, and the upcoming Cyber Security and Data Protection directives. The document outlines the objectives and focus areas of these policies to enhance cybersecurity capabilities and cooperation across Europe.
3. Who Am I?
CEO of BH Consulting – Independent Information Security Firm
Founder & Head of IRISSCERT – Ireland’s first Computer
Emergency Response Team
Special Advisor on Internet Security Europol's CyberCrime
Centre (EC3)
Adjunct Lecturer at University College Dublin
Expert Advisor to European Network & Information Security
Agency (ENISA)
Regularly comments on media stories –
BBC, Forbes, Bloomberg, FT, Guardian, Sunday Times
4.
5.
6. “considers cybercrime to be an
ever-increasing threat to the EU in
the form of large-scale data
breaches, online fraud and child
sexual exploitation, while profit-driven
cybercrime is becoming an
enabler for other types of criminal
activity..”
Europol Serious & Organised Threat
Assessment 2013
7. “Total Global Impact of
CyberCrime US$ 3 Trillion, making
it more profitable than the global
trade in marijuana, cocaine and
heroin combined.”
Europol Serious & Organised Threat
Assessment 2013
8. “cybercrime as one of nine EU
priorities in the fight against
serious and organised crime
between 2014 and 2017”
The Justice and Home Affairs Council
of 6-7 June 2013
9.
10. Policy on Critical Information Infrastructure Protection (CIIP)
– 2009
Focusing on the protection of Europe from cyber disruptions
by enhancing security and resilience.
Based on five pillars:
Preparedness and prevention
Detection and response
Mitigation and recovery
International cooperation
Criteria for European Critical Infrastructures in the field
of ICT.
11. DIRECTIVE 2011/92/EU OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL
of 13 December 2011
on combating the sexual abuse and sexual exploitation of
children and child pornography, and replacing Council
Framework Decision 2004/68/JHA
(to be transposed into national law in the Member States by 18th
December 2013)
12. DIRECTIVE 2013/40/EU OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL
of 12 August 2013
on attacks against information systems and replacing
Council Framework Decision 2005/222/JH
(to be transposed into national law in the Member States by 4th
September 2015)
13. This Directive
Sets out minimum rules defining criminal offences.
Improves operational cooperation between Member
States’ national law enforcement services
Improves operational cooperation between Member
States and relevant EU agencies (Eurojust, Europol,
ENISA).
Member States have to respond within eight hours to
an urgent request related to a cyber-attack.
EU agencies will conduct threat assessments and
strategic analyses of cybercrime
All such activities have also to comply with existing EU
legislation on privacy and electronic communication
and data protection
14. The main crimes defined in the Directive are
illegal access to information systems,
illegal interference with systems or data,
illegal interception of data transmissions,
stricter criminal sanctions for botnets
15. EU Cyber Security Strategy - 2013
Key Priorities For the Strategy
Freedom and openness
The EU's laws, norms and core values apply as much
in cyberspace as in the physical world
Developing cyber security capacity building
Fostering international cooperation in cyberspace
16. The Cyber Security Directive
(formally known as the Network & Information Security
Directive) (the Directive)
bring all member states to a minimum security standard
promote cooperation and ensure preparedness and
transparency in important sectors
introduce mandatory breach notification for certain
organisations
All member states to develop a National Security Strategy
Appointment of a single point of contact among national
competent authorities (NCAs)
17. Changes to Data Protection Directive
View to being ratified in 2015
Fines of up to €100 million or 5% of Global Turnover for Data
Breaches
Mandatory Breach Notification “without undue delay”
Right to Be Forgotten
Companies with more than 250 employees will need to have a
Data Protection Officer
Privacy by Default baked into all business processes &
services
18. Trend Micro's UK Study re Data Protection Directive
50% of UK IT decision makers were unaware of the
impending legislation
25% percent adamant that compliance is not achievable
19.
20. Objectives
To enhance the capability of the Commission, other EU bodies and the
Member States to prevent, address and to respond to NIS problems
To provide assistance and deliver advice to the Commission and the MS on
issues related to NIS falling within its competencies as set out in this
Regulation
To develop a high level of expertise and use this expertise to stimulate broad
cooperation between actors from the public and private sectors
To assist the Commission, where called upon, in the technical preparatory
work for updating and developing Community legislation in the field of NIS.
21. Computer Emergency Response Teams
Resilience of Networks and Services and Critical Information
Infrastructure Protection
Identity, Privacy and Trust
Risk Management
Areas of Research